CN101978665B - Selective filtering of network traffic requests - Google Patents
Selective filtering of network traffic requests Download PDFInfo
- Publication number
- CN101978665B CN101978665B CN2009801098926A CN200980109892A CN101978665B CN 101978665 B CN101978665 B CN 101978665B CN 2009801098926 A CN2009801098926 A CN 2009801098926A CN 200980109892 A CN200980109892 A CN 200980109892A CN 101978665 B CN101978665 B CN 101978665B
- Authority
- CN
- China
- Prior art keywords
- request
- client
- initiated
- network
- filtering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Several approaches to selectively filtering network traffic are described. One approach involves a system for selectively filtering network traffic. The system includes a helper application, which is coupled to a networking program, and is used to identify a user- initiated request. A network filter driver is coupled to the networking program, for intercepting the user-initiated request. A filtering service is coupled to both the helper application and the network filter driver, and is used to determine if the user-initiated request is allowable. If the request is allowable, the filtering service is configured to generate a special identifier, which the helper application is configured to include in a subsequent request. The filtering service is configured to allow a subsequent request which includes the special identifier, and the network filter driver's configured to strip a special identifier from subsequent requests.
Description
Background
Selective screening or filtration to communication are a kind of useful tools in the computer network environment.When suitably being disposed, for example, filter communications can stop the visit to inappropriate content, and concentrating on can be by the context of public or working computer visit, or reduces the risk that is exposed to computer virus or online swindle pattern.
Wide in range, the network service filter method is generally operated from the request of the application program such as the web browser by intercepting.These requests check with further reference to centralized authentication service usually then with reference to filtering policy.If this request can be allowed under local policy, allow application program to proceed the network request so; If this request is not allowed to, application program can be redirected to the message that information is provided so, and the content that indication is asked can not be accessed under current strategies.
Usually, existing communication filter method can comprise the log recording function of the request that record is sent by monitored application program.Can check that then what request these daily records made and visited what content determining.
General introduction
Optionally some methods of screen communication have been described.A kind of method relates to determines whether an initial request can be allowed to.Generation accords with corresponding to the special identifier of this initial request, and it is included in the subsequent request.
Another kind method relates to the system for the communication of screen optionally.This system comprises HELPER APPLICATION, and this HELPER APPLICATION is coupled to the networking program and is used to the request that identifying user is initiated.The network filter driver is coupled to the networking program and is used for the request of intercepting Client-initiated.Filtering services is coupled to HELPER APPLICATION and network filter driver, and is used to determine whether this Client-initiated request can be allowed to.If this request can be allowed to, then filtering services is configured to generate the special identifier symbol, and wherein HELPER APPLICATION is configured to this special identifier symbol is included in the subsequent request.Filtering services is configured to allow to comprise the subsequent request of this special identifier symbol, and the network filter driver is configured to peel off the special identifier symbol from subsequent request.
Another method relates to the intercepting Client-initiated to the network-accessible requests for content.The contrast filtering policy checks this Client-initiated request.Generation is corresponding to the identifier of Client-initiated request, and it is included in the subsequent request.Intercept this subsequent request, and check the validity of included identifier.Do not allowing subsequent request under the situation with reference to filtering policy.
It is some concepts that will further describe in the following detailed description for the form introduction of simplifying that this general introduction is provided.Content of the present invention is not intended to identify key feature or the essential feature of theme required for protection, is not intended to for the scope that limits theme required for protection yet.
The accompanying drawing summary
Merge in this manual and form its a part of accompanying drawing and show each embodiment, and be used from the principle of explaining theme required for protection with specification one:
Fig. 1 has described can realize the block diagram of the exemplary computer system of each embodiment thereon.
Fig. 2 has described the block diagram according to the exemplary network of an embodiment.
Fig. 3 has described the expression according to the programming layer of the computer system of an embodiment.
Fig. 4 has described according to the exemplary computer system of an embodiment and the block diagram of network.
Fig. 5 has described the flow chart according to the method for the selective filter network service request of an embodiment;
Describe in detail
Now will be in detail with reference to some embodiment.Although this theme will be described in conjunction with each alternative embodiment, will understand, they are not intended to theme required for protection is limited to these embodiment.On the contrary, theme required for protection is intended to contain replacement, modification and the equivalence techniques scheme in the spirit and scope that can be included in the defined theme required for protection of claims.
In addition, in the following detailed description, numerous details have been illustrated so that the complete understanding to theme required for protection to be provided.Yet, person of skill in the art will appreciate that each embodiment can implement not having these details or have under the situation of its equivalents.In other cases, do not describe known method, process, assembly and circuit in detail in order to avoid unnecessarily make the each side of theme and feature seem hard to understand.
Each several part in below describing in detail presents according to a kind of method and discusses.(for example, open in Fig. 5), these steps and ordering are exemplary although accompanying drawing of each operation of this method is described in its step and ordering herein.Each embodiment is applicable to well and carries out various other steps or the modification of the step described in the flow chart of accompanying drawing herein, and according to place therewith describing to carry out with the different order of describing.
Some part of this detailed description presents according to process, step, logical block, processing and to other symbolic representation of the operation of the data bit that can carry out at computer storage.These descriptions and expression are that the data processing field technical staff is used for the essence of its work is conveyed to most effectively others skilled in the art's means.The step that process, computer are carried out, logical block, processing etc. are considered to cause required result's self-congruent step or the sequence of instruction herein and usually.Step is need be to those steps of the physical manipulation of physical quantity.Although also nonessential, the form of the electrical or magnetic signal that the common employing of these physical quantitys can be stored, transmit, make up, compare or otherwise handle in computer system.For the reason of common usage these signals being called that position, value, element, symbol, character, item, numeral etc. are proved to be in principle is easily sometimes.
Yet, should be kept in mind that all these and similar terms all should be associated with suitable physical quantity and only be the label easily that is applied to these physical quantitys.As from following discussion clearly, unless indicate in addition particularly, otherwise be appreciated that, run through the present invention, utilization is such as " visit ", " write ", " comprise ", " storage ", " transmission ", " traversal ", " association ", the discussion of terms such as " signs " relates to computer system or similarly action and the processing of electronic computing device, is represented as the data of physics (electronics) amount in the RS of its operating computer system and it is transformed into the such information storage of computer system memory or register or other, be represented as other data of physical quantity in transmission or the display device similarly.
Generally include the computer-readable medium of some form at least such as computer system 112 computing equipments such as grade.Computer-readable medium can be can be by any usable medium of computing equipment visit.As example but not the limitation, computer-readable medium can comprise computer-readable storage medium and communication media.Computer-readable storage medium comprises the volatibility that realizes with any means or the technology that be used for to store such as information such as computer-readable instruction, data structure, program module or other data and non-volatile, removable and removable medium not.Computer-readable storage medium includes but not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other disk storage, cassette tape, tape, disk storage or other magnetic storage apparatus, perhaps any other can be used for storing information needed and can be by the medium of computing equipment visit.Vacate medium usually embodying computer-readable instruction, data structure, program module or other data such as modulated message signal such as carrier wave or other transmission mechanisms, and comprise any information transmitting medium.Term " modulated message signal " refers to arrange or change in the mode of in signal information being encoded the signal of its one or more features.And unrestricted, communication media comprises wire medium as example, such as cable network or directly line connection, and wireless medium, such as acoustics, RF, infrared and other wireless medium.Above any combination also should be included in the scope of computer-readable medium.
Some embodiment can describe in the general context of being carried out by one or more computers or miscellaneous equipment such as computer executable instructions such as program modules.Generally speaking, program module comprises the routine carrying out particular task or realize particular abstract data type, program, object, assembly, data structure etc.Usually, in each embodiment, the function of program module can optionally make up or distribute.
Selective filter to the network service request
In following each embodiment, the method that is used for selective filter network service request has been described.Among the some of them embodiment of these embodiment, have only the Client-initiated request to be filtered.Other request such as the automatic request that is generated by the web browser, can be walked around this filter process when being written into the page.
In one embodiment, HELPER APPLICATION is mounted on computers, and with such as monitored networking routine interface such as web browser.HELPER APPLICATION such as key in Client-initiated requests such as URL or clickable hyperlinks with attempt to be written into automations such as various images on the webpage such as the web browser or ask automatically between distinguish.
In this embodiment, also the network filter driver can be installed, it resides in monitored networking program and is used between the networking stack of operation system of computer.Network filter driver and also resident filtering services interface on computers are to determine whether the allowing network request to enter the networking stack.Filtering services compares Client-initiated request and local filter strategy, to determine whether this Client-initiated request can be allowed to.Thisly relatively be usually directed to visit maintenance corresponding to such as the database of the classification of diverse network available contents such as webpage or the remote filter server of tabulation.If the Client-initiated request can be allowed to, filtering services is delivered to HELPER APPLICATION with a special networking stem so.
HELPER APPLICATION can be included in this special networking stem in the automatic request relevant with admissible Client-initiated request then.For these automatic requests, the existence of this special networking stem indicates this request can need not authentication or daily record record just is allowed to filtering services; This special networking stem is peeled off by the network filter driver, and request is allowed to the access networked stack automatically.
This embodiment causes producing the more filtering services of the journal file of readability, because the automatic request that can allow content to generate by visit is not included in the daily record of Client-initiated request.In addition, because the automatic request relevant with the Client-initiated request of having removed needn't be authenticated separately, this embodiment causes the less visit to the remote filter server.
The basic calculating system
Refer now to Fig. 1, show the block diagram of example computer system 112.Be appreciated that computer system described herein 112 shows the example arrangement that can advantageously realize the operating platform of each embodiment thereon.Yet, within the scope of the present invention, also can use other computer system with different configurations to come replacement computer system 112.That is, computer system 112 can comprise other element except those elements of describing in conjunction with Fig. 1.In addition, each embodiment can implement in any system that is configured to achieve, and is not only the computer system as computer system 112.Be appreciated that each embodiment can implement in the computer system 112 of number of different types.System 112 can be implemented as for example has desk side computer system or the server computer system that the dedicated graphics of being coupled to is played up the powerful universal cpu of GPU.In this embodiment, can comprise the assembly that adds peripheral bus, professional audio/video component, IO equipment etc.Similarly, system 112 can be implemented as portable equipment (for example, cell phone etc.) or such as the Xbox that for example obtains from the Microsoft in Redmond city
Or the PlayStation3 that obtains from the SCE of Tokyo
And so on machine top view game console equipment frequently.System 112 also can be implemented as " systems-on-a-chip ", and wherein the electronic device of computing equipment (for example, assembly 101,103,105,106 etc.) is completely contained in the single integrated circuit tube core.Each example comprises handheld instrument with display, auto-navigation system, portable entertainment system etc.
Computer system 112 comprise be used to central processing unit 101 storage information and instruction for the address/data bus 100 of transmitting information, with bus 100 couplings for the treatment of the central processing unit 101 of information and instruction, with bus 100 couplings volatile memory-elements 102 (for example, random access memory [RAM], static RAM (SRAM), dynamic ram etc.) and be used to the Nonvolatile memery unit 103 (for example, read-only memory [ROM], programming ROM, flash memory etc.) of processor 101 storage static informations and instruction with bus 100 coupling.In addition, computer system 112 also comprises the data storage device 104 (for example, hard disk drive) for storage information and instruction.
But computer system 112 also comprises optional pattern subsystem 105, can choose Alphanumeric Entry Device 106 wantonly, can choose cursor control or orientation equipment 107 and signal communication interface (input-output apparatus) 108 wantonly.Can choose Alphanumeric Entry Device 106 wantonly can be to central processing unit 101 transmission information and command selection.Can choose cursor control or orientation equipment 107 wantonly is coupled to bus 100 and is used for transmitting user's input information and command selection to central processing unit 101.Also the signal communication interface (input-output apparatus) 108 with bus 100 couplings can be serial port.Communication interface 108 also can comprise wireless communication mechanism.Use communication interface 108, computer system 112 can by such as internet or Intranet communication such as (for example, local area network (LAN)) be coupled to other computer system, maybe can receive data (for example, digital television signal).Computer system 112 for example also can comprise by demonstration information on attached display device 110 and by what vision cable 111 connected and is used for graphics subsystem 105 to computer user's presentation information.In certain embodiments, graphics subsystem 105 is merged in the central processing unit 101.In other embodiment, graphics subsystem 105 is independent discrete assemblies.In other embodiments, graphics subsystem 105 is merged in another assembly.In other embodiment, graphics subsystem 105 otherwise is included in the system 112.
The exemplary networked environment
With reference now to Fig. 2,, described the exemplary network 200 according to an embodiment.Although element and feature that network 200 has been illustrated as merging specifically, has enumerated are appreciated that each embodiment is applicable to the application that relates to additional, still less or different features, element or arrange well.
In described embodiment, client computer 201 can be by a plurality of destinations of 299 visits, internet website 260 and 270.In described embodiment, client computer 201 comprises network filtering software 215.Be allowed to before the specific destination site requests content at client computer 201, it still is this request of refusal that network filtering software 215 is determined to allow.In certain embodiments, network filtering software 215 is by internet 299 access filtering servers 290, to determine that allowing still is to stop this request to be proceeded.
Many requests that the access request to a certain content that common unique user is initiated will cause web application to send.For example, if the user imports a URL who comprises the website of a plurality of images of obtaining from diverse location in the web browser, the request that this unique user is initiated causes the web browser to send being included in the independent request of each image on the website of asking.The web browser also can send other requests for content, for example, is included in ad banner or image on the website of asking.
For example, the user of client computer 201 can ask the website by 260 trustships of destination website.The website of asking comprises the image by 270 trustships of destination website.Client computer 201 will send each the independent request to each image that comprises on the website of asking.
Hardware abstraction layer
With reference now to Fig. 3,, shows the expression according to the programming layer of the computer system 301 of an embodiment.Although Fig. 3 has described some feature of specifically enumerating and element, be appreciated that each embodiment is applicable to have additional, still less or different features and the application of element well.
Describe as Fig. 3, computer system 301 can be contemplated to be by increasing abstract layer to be formed.The bottom that is depicted as hardware layer 330 herein is by for example, and processor, system storage or network interface unit (NIC) etc. constitute the actual electronic components of computer system and form.
Bring Forward from hardware layer 330, Fig. 3 has shown kernel spacing 320.In certain embodiments, being realized by the operation to one or more specific software of for example being shown device driver such as device driver 325 herein alternately between kernel spacing 320 and the hardware layer 330.In some cases, device driver can be particular manufacturer or even the specific model of nextport hardware component NextPort peculiar.Kernel and be to allow the highest level of abstraction and constitute mutual between the hardware of computer system to wherein a kind of function of the interface of kernel.
The superiors that are shown user's space 310 herein are mutual by interface 315 and kernel spacing 320.Interface 315 will by kernel can with function and service represent to the application program of user's space 310 in, moving.The application program of carrying out in user's space 310 can be called " callback handler " (or " handling procedure ") in the kernel, represents it with request service or request and carries out each function.
The filter software assembly
In different embodiment, network filtering can be applied to different application programs.For example, network filtering can be browsed (http communication), instant message transrecieving, recreation, online Media purchase and/or playback in conjunction with web or the peer-to-peer communications application program is used.In some embodiment such as the embodiment that describes below with reference to Fig. 4 etc., network filtering " assistant " application program is by the existing networking routine interface of the program hook that can get by the networking program or interface and for example web browser etc.Available understanding in other embodiments, is attributed in the function of various filter softwares described below assembly some or all and can be merged in additional, still less or different programs, assembly or interface.
With reference now to Fig. 4,, described the block diagram according to the exemplary network 400 of an embodiment.Merged feature and element specific, that enumerate although network 400 is shown as, be appreciated that each embodiment is applicable to the application that relates to additional, still less or different features, element or arrange well.
In described embodiment, client computer 401 can be by a plurality of destinations of 499 visits, internet website 460 and 470.In certain embodiments, client computer 401 is by internet 499 access filtering servers 490, to determine that allowing still is refusal one request.
In the embodiment that describes, client computer 401 is illustrated as being divided into some level of abstractions, for example, and user's space 410, kernel spacing 420 and hardware 430.Networking program such as browser 411 is carried out in user's space 410.HELPER APPLICATION such as browser assistant object 413 grades is installed on the client computer 401, and with browser 411 interfaces.When browser 411 for example sent request for webpage, this request was delivered to kernel spacing 420 through interface 415.Before arriving networking stack 423, this request is via filtering services API 417 process filtering services 414.
In this embodiment, filtering services 414 checks this request, and itself and the local policy at connected network communication that is suitable for are compared.Between this comparable period, filtering services 414 addressable filtering servers 490 are to obtain the request classification corresponding to this request; Filtering services 414 also addressable may before the local cache of the request classification that received from filtering server 490.
It still is this request of refusal that filtering services 414 is determined to allow, and indicate browser assistant object 413 or this request is passed through, perhaps carry out suitable refusal operation, for example, browser 411 is redirected to this request of indication forbidden page under local policy.If this request is allowed to, it is handled by the suitable device driver 425 of for example network driver 429 grades, and is sent in the hardware layer 430 for example suitable hardware of network interface unit (NIC) 431.
For admissible request, filtering services 414 indication browser assistant objects 413 make this request and similar request, for example, are passed through by the automatic request relevant with admissible Client-initiated request that browser 411 generates.In certain embodiments, filtering services 414 is via API and browser assistant object 413 interfaces such as filtering services API 417 grades.In certain embodiments, filtering services 414 passes to browser assistant object 413 with the special identifier symbol.Browser assistant object 413 can be included in this special identifier symbol in so automatic request then.When network filter driver 421 receives the request that comprises effective special identifier symbol, but filtering services 414 indication network filter drivers 421 remove this special identifier symbol and this request passed through, and need not to authenticate this request.
In different embodiment, use diverse ways to generate this special identifier symbol.For example, in one embodiment, each Client-initiated request is generated new identifier.In other embodiments, can when user's log into thr computer, generate identifier.In addition, when generating identifier, can use different information.For example, in one embodiment, the part of the content of numeral, timestamp and the Client-initiated request that generates in the time of can using the user to login for example generates the special identifier symbol by using hash function.Comprise that timestamp helps to prevent the duplicity of special identifier symbol is used, for example, the former special identifier symbol that sends is affixed under the situation of new request; Similarly, stab to allow this special identifier symbol " expired " service time, this handle upgrade fast and should frequently be verified for example such as the content of a lot of webpages etc. the time be particularly useful.
The method of selective filter network service request
With reference now to Fig. 5,, described the flow chart 500 according to the method for the selective filter network service request of an embodiment.Although disclose concrete steps in flow chart 500, these steps are exemplary.That is, various embodiments of the present invention are applicable to the modification of carrying out step described in various other (adding) steps or the flow chart 500 well.Be appreciated that the step in the flow chart 500 can be with carrying out with the different order that presents, and do not really want the Overall Steps in the flowchart 500.
Refer now to step 501, receive the Client-initiated request.In different embodiment, the Client-initiated request can be adopted different forms.For example, in an embodiment who relates to web communication filtration, the user can key in URL in the web browser's address bar, maybe can click the hyperlink that is presented on the webpage.
Refer now to step 510, the request of intercepting Client-initiated.As previously discussed, this step can be carried out by different modes in different embodiment.In relating to the embodiment that network service filters, for example, the browser assistant object use by the web browser can with function detect the Client-initiated request, and these requests and request are automatically distinguished.In certain embodiments, this HELPER APPLICATION can be directly with for example operate in same computer on filtering services communicate by letter.In other embodiments, this request is by another intercept proxy of for example network filter driver between the networking stack of requestor and operating system etc.
For example, with reference to figure 4, the user keys in the URL of the website of trustship on destination website 460 in the browser 411.Browser assistant object 413 notices that this request is the Client-initiated request, and calls filtering services 414 via API 417.
With reference now to step 520,, filtering services contrast filtering policy checks this Client-initiated request.As previously discussed, the local filter strategy is used for determining that a request is to be allowed to or to block.When estimating the Client-initiated request, some embodiment relate to filtering services to the request of remote filter server such as the data corresponding to the classification of this Client-initiated request, for example classification about specific webpage of asking that is generated by the remote filter server.This classification and the filtering policy that is suitable for can be determined relatively whether this request can be allowed to.In certain embodiments, filtering services notice HELPER APPLICATION and/or network filter driver are about this result relatively.In addition, in certain embodiments, the Client-initiated request is logged, and for example, Client-initiated is recorded in the journal file for the request of a website.
With reference now to step 523,, if determine that this request can not be allowed to, notifies the user so in this way.In certain embodiments, the information that HELPER APPLICATION can indicate user's networking program display to indicate this request can not be allowed under current strategies, for example, the browser assistant object can be redirected to the web browser page that this request of indication can not be allowed to.In other embodiments, the network filter driver uses in this step, for example, is directed to the webpage that this provides information by revising the output request.
With reference now to step 525,, if this request can be allowed to, filtering services generates special identifier symbol so.As previously discussed, in different embodiment, the special identifier symbol can generate in a different manner.In addition, in different embodiment, the special identifier symbol can be realized with the different forms such as stem that for example are included in the input request.
Example before continuing, filtering services 414 checks the Client-initiated request, and it is compared with the local policy of communicating by letter about web that is suitable for.Service 414 is addressable filtering server 490 also, to obtain the classification corresponding to the website of being asked; Alternatively, filtering services 414 can be before high-speed cache corresponding to the classification of the website of asking.If local policy is refused this request, this Client-initiated request is revised or deleted to filtering services 414 indication network filter drivers 421 so, can not approved webpage browser 411 is redirected to this request of indication.
If the local policy that is suitable for allows this request, filtering services 414 indication browser assistant objects 413 pass through this request so.Filtering services 414 uses hash, the current time of this request and the numeral that generates when user's log into thr computer to generate the networking identifier.This networking identifier then is sent to browser assistant object 413 via filtering services API 417.
With reference now to step 530,, the special identifier symbol is included in any additional request relevant with the request of initial user initiation.In certain embodiments, the automatic request of the request of initiating corresponding to unique user does not require further authentication; In addition, in some such embodiment, these automatic requests are not logged.HELPER APPLICATION is included in the special identifier symbol in this automatic request, for example, and in the stem that places it in the output request.In addition, in certain embodiments, more Client-initiated be may not request additional authentication to the request of scene content.For example, in certain embodiments, after Client-initiated was allowed to the request of website, the request to this website that more users are initiated also can comprise this special identifier symbol.In such embodiment, wherein the current time is used to generate the special identifier symbol, and filtering services makes this special identifier symbol expired after the duration of setting.
With reference now to step 535,, the intercepting additional request.In certain embodiments, the network filter driver is configured to intercept all output requests, and removes these requests with filtering services.
With reference now to step 540,, checks that additional request is to determine existing of effective special identifier symbol.
With reference now to step 543,, if additional request does not comprise the special identifier symbol, this request should be certified so.According to step 520, filtering services begins to authenticate this request.
With reference now to step 545,, if additional request comprises the special identifier symbol, should request be exempted authentication so.In certain embodiments, filtering services indication network filter driver is removed the special identifier symbol and is allowed this request to be transmitted.
Continue the example presented above, when being written in the website of asking, the automatic request that is stored in the image on the destination website 470 is generated by browser 411.Browser assistant object 413 is included in Client-initiated the networking identifier in all relevant stems of asking automatically of the request of the webpage on the destination website 460.These are asked automatically by 421 interceptings of network filter driver, and by network filter driver 421 notification filter service 414.The networking identifier that filtering services 414 will be included in the stem of request is compared with the copy of the networking identifier of storage.If the networking identifier is effective and not out of date, filtering services 414 indication network filter drivers 421 are removed the networking identifier from request so, and transfer them to network stack 423.If receive the request that lacks the identifier of networking, if perhaps the networking identifier is no longer valid, filtering services 414 attempts to confirm this request so, as mentioned above.
Various embodiments of the present invention have so been described.Though the present invention describes in a particular embodiment, should be appreciated that, the present invention should not be construed as limited to these embodiment, but explains according to appended claims.
Claims (20)
1. screen method for communicating (500) optionally, described method comprises:
Receive the initial request to the network-accessible content that is generated by the networking program on the described client computing device at client computing device;
Determine by the filtering services on the described client computing device whether described initial request can be allowed to, and described filtering services is configured to monitor described networking program;
If described initial request can be allowed to reference to filtering policy, then the special identifier that generates corresponding to described initial request by described filtering services accords with (525);
To be included in corresponding to the described special identifier symbol of described initial request from described networking program intercepts with to the relevant subsequent request to the network-accessible content of the described initial request of network-accessible content; And
If described subsequent request comprises the described special identifier symbol corresponding to described initial request, then allow described subsequent request by described filtering services, and need not with reference to described filtering policy.
2. the method for claim 1 is characterized in that, described filtering policy comprises the local policy about connected network communication.
3. the method for claim 1 is characterized in that, described filtering services is with reference to the classification corresponding to the content relevant with described initial request.
4. the method for claim 1 is characterized in that, from timestamp, corresponding to the described special identifier symbol that becomes in a part of next life of user's identifier and described initial request corresponding to described initial request.
5. the method for claim 1 is characterized in that, wherein said initial request is for the request of initiating, and described subsequent request is the automatic request relevant with described Client-initiated request.
6. the method for claim 1 is characterized in that, also comprises:
Whether the described special identifier symbol of determining to be included in the described subsequent request is effective.
7. the method for claim 1 is characterized in that, also comprises:
Described initial request is charged to daily record; And
Allow described subsequent request (545) and described subsequent request is not charged to daily record.
8. screen method for communicating optionally comprises:
The Client-initiated request to the network-accessible content that HELPER APPLICATION sign on the client computing device is generated by the networking program on the described client computing device, wherein said HELPER APPLICATION is coupled to described networking program;
Filtering services on the described client computing device determines whether described Client-initiated request is to allow, and wherein said filtering services is coupled to described HELPER APPLICATION;
Described filtering services monitors the described networking program on the described client computing device, is the special identifier symbol that generates under the situation that can allow corresponding to described Client-initiated request with reference to filtering policy in described Client-initiated request;
The intercepting of described HELPER APPLICATION by described networking program generate to the network-accessible requests for content and will be included in corresponding to the described special identifier symbol of described Client-initiated request from described networking program intercepts to the subsequent request to network-accessible content relevant with described Client-initiated request; And
If described subsequent request comprises the described special identifier symbol corresponding to described Client-initiated request, then described filtering services allows described subsequent request, and need not with reference to described filtering policy, and the described special identifier that described filtering services indicates described network filter driver to remove from described subsequent request corresponding to described Client-initiated request accords with.
9. method as claimed in claim 8 is characterized in that, described filtering policy is the local policy about connected network communication.
10. method as claimed in claim 8 is characterized in that, described filtering services is with reference to the classification corresponding to the content relevant with described Client-initiated request.
11. method as claimed in claim 10 is characterized in that, described classification obtains from the remote filter server.
12. method as claimed in claim 10 is characterized in that, described classification is to obtain from the local cache that described filtering services is safeguarded.
13. method as claimed in claim 8 is characterized in that, described filtering services is configured to refuse described special identifier symbol after the length at the fixed time.
14. a screen method for communicating optionally comprises:
The Client-initiated request to the network-accessible content that reception is generated by the networking program on the client computing device;
Determine whether described Client-initiated request can allow;
If described Client-initiated request is to allow with reference to filtering policy, then generate the identifier corresponding to described Client-initiated request;
To be included in corresponding to the described identifier of described Client-initiated request from the subsequent request to network-accessible content relevant with described Client-initiated request of described networking program intercepts;
Determine that described subsequent request comprises the described identifier corresponding to described Client-initiated request;
Determine that the described identifier corresponding to described Client-initiated request is effective; And
With reference to described filtering policy, do not allow described subsequent request.
15. method as claimed in claim 14 is characterized in that, also comprises:
To compare with described filtering policy corresponding to the classification of described network-accessible content.
16. method as claimed in claim 14 is characterized in that, is to generate by the part corresponding to user's value and described Client-initiated request of timestamp, generation is carried out hash corresponding to the described identifier of described Client-initiated request.
17. method as claimed in claim 14 is characterized in that, described Client-initiated request is in response to that hyperlink that the user imports the website that URL(uniform resource locator) or click ask initiates, and
Described subsequent request comprises the automatic request to the website epigraph of asking, and this asks to be generated in described Client-initiated request by described networking program response automatically.
18. method as claimed in claim 14 is characterized in that, described Client-initiated request comprises HTML (Hypertext Markup Language) HTTP request.
19. method as claimed in claim 14 is characterized in that, described Client-initiated request comprises the request of visit at digital multimedia content.
20. method as claimed in claim 14 is characterized in that, described Client-initiated request comprises the request to the visit game on line.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/050,162 US8208375B2 (en) | 2008-03-17 | 2008-03-17 | Selective filtering of network traffic requests |
US12/050,162 | 2008-03-17 | ||
PCT/US2009/033877 WO2009117194A1 (en) | 2008-03-17 | 2009-02-12 | Selective filtering of network traffic requests |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101978665A CN101978665A (en) | 2011-02-16 |
CN101978665B true CN101978665B (en) | 2013-08-21 |
Family
ID=41062911
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2009801098926A Active CN101978665B (en) | 2008-03-17 | 2009-02-12 | Selective filtering of network traffic requests |
Country Status (4)
Country | Link |
---|---|
US (1) | US8208375B2 (en) |
EP (1) | EP2255505B1 (en) |
CN (1) | CN101978665B (en) |
WO (1) | WO2009117194A1 (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7916635B2 (en) * | 2008-12-23 | 2011-03-29 | Qwest Communications International, Inc. | Transparent network traffic inspection |
US8201220B2 (en) | 2008-12-23 | 2012-06-12 | Qwest Communications International Inc. | Network user usage profiling |
US8578486B2 (en) | 2010-06-18 | 2013-11-05 | Microsoft Corporation | Encrypted network traffic interception and inspection |
US8787941B2 (en) | 2012-07-31 | 2014-07-22 | Longsand Limited | Prohibiting electronic device usage based on geographical location |
KR20150024056A (en) * | 2013-08-26 | 2015-03-06 | 삼성전자주식회사 | Http(hypertext transfer protocol) message processing method and electronic device implementing the same |
CN106211155A (en) * | 2016-06-29 | 2016-12-07 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and the terminal that a kind of application is freezed |
US10769275B2 (en) * | 2017-10-06 | 2020-09-08 | Ca, Inc. | Systems and methods for monitoring bait to protect users from security threats |
CN114666411B (en) * | 2022-03-02 | 2024-05-17 | 中国建设银行股份有限公司 | Request processing method, device, server, storage medium and product |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6122657A (en) * | 1997-02-04 | 2000-09-19 | Networks Associates, Inc. | Internet computer system with methods for dynamic filtering of hypertext tags and content |
US5938737A (en) * | 1997-02-14 | 1999-08-17 | Stanford Telecommunications, Inc. | Internet upstream request compression |
US5996011A (en) * | 1997-03-25 | 1999-11-30 | Unified Research Laboratories, Inc. | System and method for filtering data received by a computer system |
US6256739B1 (en) * | 1997-10-30 | 2001-07-03 | Juno Online Services, Inc. | Method and apparatus to determine user identity and limit access to a communications network |
US6233618B1 (en) * | 1998-03-31 | 2001-05-15 | Content Advisor, Inc. | Access control of networked data |
US6505300B2 (en) * | 1998-06-12 | 2003-01-07 | Microsoft Corporation | Method and system for secure running of untrusted content |
US6449636B1 (en) * | 1999-09-08 | 2002-09-10 | Nortel Networks Limited | System and method for creating a dynamic data file from collected and filtered web pages |
AU2001268579A1 (en) | 2000-06-20 | 2002-01-02 | Privo, Inc. | Method and apparatus for granting access to internet content |
US7587499B1 (en) * | 2000-09-14 | 2009-09-08 | Joshua Haghpassand | Web-based security and filtering system with proxy chaining |
US7421730B2 (en) * | 2002-05-09 | 2008-09-02 | Microsoft Corporation | Maintaining authentication states for resources accessed in a stateless environment |
US7100049B2 (en) * | 2002-05-10 | 2006-08-29 | Rsa Security Inc. | Method and apparatus for authentication of users and web sites |
US7146638B2 (en) * | 2002-06-27 | 2006-12-05 | International Business Machines Corporation | Firewall protocol providing additional information |
US20040010710A1 (en) * | 2002-07-10 | 2004-01-15 | Wen-Hao Hsu | Method and system for filtering requests to a web site |
US20050262357A1 (en) * | 2004-03-11 | 2005-11-24 | Aep Networks | Network access using reverse proxy |
US20060021004A1 (en) * | 2004-07-21 | 2006-01-26 | International Business Machines Corporation | Method and system for externalized HTTP authentication |
US20060277250A1 (en) * | 2005-06-03 | 2006-12-07 | Sebastien Cherry | Methods and systems for checking accessibility of web applications |
DE102006008745A1 (en) * | 2005-11-04 | 2007-05-10 | Siemens Ag | Method and server for providing a mobility key |
US20070240208A1 (en) * | 2006-04-10 | 2007-10-11 | Ming-Che Yu | Network appliance for controlling hypertext transfer protocol (HTTP) messages between a local area network and a global communications network |
US8763136B2 (en) * | 2007-03-22 | 2014-06-24 | Red Hat, Inc. | Privacy enhanced browser |
US20080311893A1 (en) * | 2007-06-14 | 2008-12-18 | Sony Ericsson Mobile Communications Ab | Method and Apparatus for Regulating Gambling Applications at a Mobile Device |
-
2008
- 2008-03-17 US US12/050,162 patent/US8208375B2/en not_active Expired - Fee Related
-
2009
- 2009-02-12 EP EP09722192.3A patent/EP2255505B1/en active Active
- 2009-02-12 CN CN2009801098926A patent/CN101978665B/en active Active
- 2009-02-12 WO PCT/US2009/033877 patent/WO2009117194A1/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
EP2255505B1 (en) | 2018-07-11 |
WO2009117194A1 (en) | 2009-09-24 |
US20090231998A1 (en) | 2009-09-17 |
EP2255505A4 (en) | 2015-09-30 |
CN101978665A (en) | 2011-02-16 |
US8208375B2 (en) | 2012-06-26 |
EP2255505A1 (en) | 2010-12-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101978665B (en) | Selective filtering of network traffic requests | |
CN1559040B (en) | Selection of content in response to communication environment | |
US6910064B1 (en) | System of delivering content on-line | |
US7343559B1 (en) | Computer-readable recorded medium on which image file is recorded, device for producing the recorded medium, medium on which image file creating program is recorded, device for transmitting image file, device for processing image file, and medium on which image file processing program is recorded | |
JP5165670B2 (en) | Unauthorized use determination server and method | |
US20040098476A1 (en) | Method and system for changing a collaborating client behavior according to context | |
US20110184982A1 (en) | System and method for capturing and reporting online sessions | |
US8019884B2 (en) | Proxy content for submitting web service data in the user's security context | |
CN113079164B (en) | Remote control method and device for bastion machine resources, storage medium and terminal equipment | |
JP2003162616A (en) | Marketing server system for allowing server to enable and disable function of client computer, marketing method and recording medium with the method | |
US10614417B2 (en) | System and method for electronic lead verification | |
CN101836213B (en) | Protection against unauthorized copying of digital media content | |
RU2272318C2 (en) | Computer-readable data carrier, on which image file is recorded, device for making a data carrier, carrier on which program is recorded for forming an image file, device for transferring image file, device for processing image file and carrier, on which program for processing an image file is recorded | |
US20050267981A1 (en) | System and method for server side detection of client side popup blocking | |
JP2008077614A (en) | Session management program and session management method | |
JP4936603B2 (en) | Sales management method and storage medium storing the program | |
KR101517611B1 (en) | Method for Providing Multimedia Except for Communication Load | |
JP2005084751A (en) | Communication apparatus | |
JP2007121729A (en) | Learning management server, content distribution server, learning system, learning management method, learning management program, and recording medium | |
JP2003280906A (en) | Server system, its processing method, and server | |
JP2002063056A (en) | Image file processor, image file processing program and medium with this program recorded thereon | |
JP2007259059A (en) | Relay processing system, apparatus and program | |
JP2003330852A (en) | Information management server, information processor, information management system, and control method and program therefor | |
JP2001118324A (en) | Recording medium, information supply terminal equipment and information supply server | |
KR20010026047A (en) | The banner advertising method in web page using image replacement |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
ASS | Succession or assignment of patent right |
Owner name: MICROSOFT TECHNOLOGY LICENSING LLC Free format text: FORMER OWNER: MICROSOFT CORP. Effective date: 20150522 |
|
C41 | Transfer of patent application or patent right or utility model | ||
TR01 | Transfer of patent right |
Effective date of registration: 20150522 Address after: Washington State Patentee after: Micro soft technique license Co., Ltd Address before: Washington State Patentee before: Microsoft Corp. |